Skip to content

AdedapoOG/SOC-Automation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
detections
detections
 
 
docs
docs
 
 
evidence
evidence
 
 
playbooks
playbooks
 
 
scripts
scripts
 
 
README.md
README.md
 
 

Repository files navigation

SOC Automation Home Lab

Overview

This project simulates a Security Operations Center (SOC) environment where I designed detection rules, investigated alerts, and supported response workflows using Splunk, Python, and PowerShell.

The goal is not just log collection, but demonstrating how a SOC analyst detects, triages, and responds to suspicious activity.

What I Built

  • SPL detections for authentication abuse and suspicious PowerShell activity
  • Basic automation scripts (Python & PowerShell) to support triage and response
  • Investigation playbooks to guide analyst decision-making
  • A structured workflow from alert → investigation → action

Tools Used

  • Splunk (SIEM)
  • Sysmon / Windows Event Logs
  • Linux Syslog
  • Python
  • PowerShell
  • Kali Linux (attack simulation)

Detection Scenarios

1. Brute-Force Login Detection

Detect repeated failed login attempts from a single IP.

  • Detection: detections/brute_force_linux.spl
  • MITRE ATT&CK: T1110 (Brute Force)

2. Suspicious PowerShell Execution

Detect encoded or obfuscated PowerShell commands.

  • Detection: detections/suspicious_powershell.spl
  • MITRE ATT&CK:
    • T1059.001 (PowerShell)
    • T1027 (Obfuscation)

3. Unusual Login Spike

Detect abnormal volume of successful logins from a single source.

  • Detection: detections/suspicious_login_spike.spl
  • MITRE ATT&CK: T1078 (Valid Accounts)

Analyst Outcomes

Example: Brute Force Detection

What the alert shows Multiple failed login attempts from a single IP address.

How I investigate

  • Identify source IP and target host
  • Check for successful login after failures
  • Review account type (privileged vs standard)
  • Correlate with other logs from the same source

Decision

  • Monitor if no compromise
  • Escalate if login succeeds after failures
  • Reset credentials and block IP if malicious

Example: Suspicious PowerShell

What the alert shows PowerShell executed with encoded or suspicious commands.

How I investigate

  • Review command-line arguments
  • Check parent process
  • Identify user context
  • Look for follow-on activity (downloads, persistence)

Decision

  • Validate if legitimate admin activity
  • Isolate and escalate if suspicious

Automation Scripts

Python

  • scripts/python/enrich_ip_reputation.py
    Used to add context to suspicious IP addresses during alert triage.

PowerShell

  • scripts/powershell/block_ip.ps1
    Used to block suspicious IP addresses on a host.

Evidence

Brute Force Detection

Splunk-detection

PowerShell Detection

Powershell-detection

SOC Workflow

  1. Logs are generated from systems
  2. Splunk detection identifies suspicious activity
  3. Alert is triaged and validated
  4. Investigation is performed
  5. Scripts support enrichment/response
  6. Decision is made (monitor / escalate / contain)

Skills Demonstrated

  • Splunk detection engineering
  • SOC alert triage and investigation
  • MITRE ATT&CK mapping
  • Python & PowerShell automation
  • Security analysis and decision-making

Author

Adedapo Ogunwoolu
Cybersecurity Portfolio Project

About

Hands-on SOC home lab with Splunk SIEM, Kali, Metasploitable; log ingestion, detections, alerts, and attack simulations.

Topics

ubuntu splunk socket-io incident-response ids rsyslog siem metasploit home-lab-detections

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages